The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Cecillia X. Xie, Associate — Litigation
Cecillia Xie advises clients across various sectors worldwide on strategies for managing privacy and data security risks. She has substantial experience counseling on privacy and cybersecurity issues in product development, corporate transactions—including joint ventures and M&A—and data breach preparation and response.
Cecillia assists both multinationals and startups with navigating the complex and emerging privacy regulatory regimes in the United States and internationally, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR). She has extensive experience in legal research, as well as drafting and negotiating privacy and data security provisions in contracts. She is also well versed with the novel privacy issues in the online advertising space.
Cecillia is a lecturer in computer science at Yale University, where she teaches Intellectual Property in the Digital Age.
Cecillia earned her J.D. from Harvard Law School, where she served as speakers editor for the Journal of Law & Technology and president of the Child & Youth Advocates. During law school, Cecillia interned at the U.S. Department of Justice in the Computer Crime & Intellectual Property Section (CCIPS). She received her B.A., cum laude, in economics from Yale University.
Describe your practice area and what it entails.
Privacy and data security is a cross-practice that involves a mix of litigation and corporate, as well as counseling. In the litigation bucket, we help clients investigate and respond to data breaches, including conducting interviews, working with law enforcement, and responding to government inquiries regarding the data breach. On the corporate side, we draft agreements governing data sharing, security, and processing obligations generally between parties, as well as advise on the privacy and data security aspects of M&A and investments. For counseling, we assist our clients with creating privacy-compliance programs and structuring security-incident-response processes. Counseling also entails significant “product” work, such as helping a client decide what categories of information to collect through a new product/service, brainstorming what privacy features and settings in a product should look like, and advising on the limits of uses and disclosures for any collected information. In addition, there can be overlaps with employment when, for example, we advise companies on employee monitoring programs and with national security, such as when clients come to us with questions about implementing advanced defensive measures against cyber attacks.
What types of clients do you represent?
We represent everything from small startups that are looking to sign their first customer to large, established multinational corporations. I have represented a significant number of tech firms, as well as companies outside of the classical “tech” sector, including in the hospitality, consumer products, and media sectors. I also have done work for large financial institutions and private equity firms.
What types of cases/deals do you work on?
The litigation matters I work on pertain to investigating a security incident/data breach or responding to a government inquiry about a security incident/data breach. These matters typically involve coordinating forensic and document reviews with meetings and written responses to government agencies or law enforcement. For deals, in addition to the M&A and investments work described above, I also work on joint ventures (due to the necessary sharing of data implicated), service provider agreements that involve a service provider processing data on behalf of a company, and privacy policies and terms and conditions for consumer-facing products or services.
How did you choose this practice area?
For me, privacy and data security is the most dynamic but also most personal practice area of law. Growing up with technology and new gadgets every year, I loved the convenience and new capabilities that such technology afforded me. I became aware, however, of the privacy implications of these new tools as schools and parents rolled out GPS tracking and device monitoring for their children. It was baffling to me that there were so few laws regulating those types of activities, even by private corporations. I studied privacy issues in college and law school as a result, and upon graduation, I was thrilled to see that law firms were beginning to grow their privacy practices in response to the privacy issues that I felt were so omnipresent when I was younger.
What is a typical day like and/or what are some common tasks you perform?
My day can vary greatly depending on what hat I’m wearing for a matter. Sometimes, I am able to set aside the whole day to research or think about a new privacy law and write a memo for a client analyzing the new law’s applicability to, and obligations for, the client. Most other days, however, involve greater intermittent partner and client contact—phone calls to discuss, for example, privacy considerations as the client develops a service or as the client looks to acquire a company. For a breach response, my days can be filled with back-to-back calls with the client’s legal and information security departments, the forensic investigator, and law enforcement, which, surprisingly, resembles the hectic-but-exciting crisis management scenes in movies. Common tasks also include commenting on draft privacy and data security provisions in contracts, reviewing or drafting privacy policies, corresponding with regulators, and summarizing of relevant laws and issues for clients.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Keeping up with the new capabilities of technology is extremely helpful—facility and familiarity with how your own personal information is used in the apps and services you use readily translate to facility and familiarity with your clients’ products. Because privacy involves reading and interpreting new legislation, legislation/regulation classes and experience are also helpful. Privacy also intersects with data use more generally, so intellectual property is great training. Above all, critical thinking is essential, no matter what training, class, or experience it’s developed as a part of.
What is unique about your practice area at your firm?
Unlike at many other firms, privacy is its own practice group at MoFo, which is fantastic. This specialization and trove of resources mean that I am confident that I will not miss key legal developments in privacy and that I have many colleagues to debate with and bounce ideas off, which is particularly important due to the unsettled nature of privacy law. We have an excellent group culture where all partners and associates know each other, partners earnestly solicit and value associate opinions, and associates can take on lots of responsibility early on.
How do you see this practice area evolving in the future?
With the advent of the GDPR in Europe and the CCPA in the United States, privacy is only growing as a practice area, which is what makes the practice area so exciting. Other countries and individual states in the U.S. are introducing privacy legislation in the wake of the newfound attention on privacy, so the practice looks like it will continue to be even more multijurisdictional and will require mastery of a continually changing patchwork privacy regime. While it’s impossible to predict how the privacy and data security laws will evolve, I can say that it won’t be boring!
What are some typical career paths for lawyers in this practice area?
There are a growing number of in-house privacy opportunities at large companies and startups, as well as growing privacy groups at law firms. Privacy also overlaps with work in government and nonprofit organizations, such as the Mozilla Foundation, the Electronic Frontier Foundation, and the Electronic Privacy Information Center. Similar to the fact that privacy work itself spans several law firm practice groups, typical career paths for privacy lawyers can span numerous industries and sectors, both public and private, big and small.
Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?